HIPAA standards to date: What you need to know
HIPAA standards to date: What you need to know
The Health Insurance Portability and Accountability Act (HIPAA) eventually will include seven sets of regulations. So far, three have been released:
• Transaction standards, which set out standardized ways that patient health, administrative, and financial data can be transmitted. These regulations go into effect Oct. 16, 2002, for most entities. Small health plans have an additional year. The transaction standards deal primarily with information technology issues, but some may affect certain providers, says Janice Cunningham, an attorney with The Healthcare Group, a Pilgrim Meeting, PA-based health care consulting firm.
For instance, the standards specify that Diagnostic and Statistical Manual codes no longer are acceptable for mental health illnesses. Providers must use the ICD-9-CM codes. Providers are required to convert to the National Drug Code system for drug coding. Otherwise, the regulations may be a boon to case managers because they specify a standard format for verification of coverage, authorization for procedures, and referrals. "It should streamline operations, because case managers will be using a standard form instead of a lot of different forms," Cunningham says.
• Privacy regulations, which go into effect April 14, 2003, and mandate sweeping changes in the way individually identifiable health information is handled and disclosed. Small health plans have until April 14, 2004, to meet these standards. These will have the greatest effect on how case managers do their jobs. (For details, see "Cover your bases with HIPAA privacy forms" and "Learn the components of the HIPAA privacy regs," in this issue.)
In a nutshell, the privacy regulations mean that the health care industry will have to protect the privacy of patients’ medical information, will have to inform patients in writing about how the information will be used, and will have to track and manage the information the way they told the patients they would. The regulations cover any individually identifiable information, whether it is disclosed during oral conversations, electronic transmission, or written documentation, whether it is by hand, by typewriter, or in a computer.
The final rule establishes civil and criminal penalties for noncompliance. They range from $100 per person per incident for unintentional disclosure, up to a $250,000 fine and 10 years in jail for selling medical information. The Justice Department’s Office of Civil Rights has been given the authority to investigate violations of the final privacy regulations. A whistle-blower provision allows anyone who says he or she has been hurt by a violation of the privacy regulations to file a complaint. The regulations also allow the Office of Civil Rights to conduct general compliance reviews without a whistle-blower.
• Security standards, which protect the confidentiality of health care data that are stored or transmitted. Under the regulations, businesses that transmit or maintain electronic health information must develop a security plan. The final security standards have not been issued. The preliminary regulations are extremely technical and involved, Cunningham says.
The bulk of the security regulations cover software issues, but they include staff training and physical security of health information, some of which overlap the privacy regulations, she says. These include coding, encrypting information, firewalls to keep hackers out, password protection, and authentication mechanisms to ensure that the right person receives the data. The proposed security standards also contain a chain-of-trust agreement that requires anyone who sends or receives the data to have the same kind of security.
Still in the works are development of unique identifiers for employers, unique identifiers for providers, unique identifiers for health plans, and enforcement procedures. The final rules for these provisions are in development. The HIPAA law also called for a unique health identifier for individuals, but the U.S. Department of Health and Human Services and Congress have indefinitely postponed any efforts to develop this standard.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.